Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA - External Interface / BGP

I have attached my network diagram in a pdf.

My ASA is configured with two outside interfaces

One to each ISP.
Each ISP router is getting a default route from provider.

I am currently using HSRP between the two routers on the inside interface on BVI interfaces of the routers.

I have a static default route configured on the ASA for ISP #1 HSRP's address.

I have IBGP running between the two routers.

I have a local weight preference on each router to take its own ISP out.

I want to utilize ISP #2 more and have created a few static default routes out that HSRP address.

Should I do away with one of the outside interfaces on the ASA?

What is the best way to handle the routing on the outside of the ASA?

  • WAN Routing and Switching
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: ASA - External Interface / BGP

Hello Trippi,

>> My ASA is configured with two outside interfaces

this can be a problem. ASA can perform load balancing towards different next-hops that are out the SAME interface.

The ASA is a FW first, so the outgoing interface is chosen by the FW xlate according to its configuration.

see

>> Load sharing on the adaptive security appliance is  possible only for multiple next-hops available using single egress  interface.  Load sharing cannot share multiple egress interfaces.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_overview.html#wp1095679

I would suggest you to review your design in order to have a single outside interface to reach both  routers

Hope to help

Giuseppe

1 REPLY
Hall of Fame Super Silver

Re: ASA - External Interface / BGP

Hello Trippi,

>> My ASA is configured with two outside interfaces

this can be a problem. ASA can perform load balancing towards different next-hops that are out the SAME interface.

The ASA is a FW first, so the outgoing interface is chosen by the FW xlate according to its configuration.

see

>> Load sharing on the adaptive security appliance is  possible only for multiple next-hops available using single egress  interface.  Load sharing cannot share multiple egress interfaces.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_overview.html#wp1095679

I would suggest you to review your design in order to have a single outside interface to reach both  routers

Hope to help

Giuseppe

454
Views
0
Helpful
1
Replies
This widget could not be displayed.